Background of the Invention 
Field of the Invention 

The present invention is an improved system and method for providing system 
security in a computer. More particularly, the present invention relates to 
5 improved security provided by the operating system of a personal computer. 



Background Art 

|^ QL'^> N ^ ecur ' t y> particularly data security, is an essential aspect of any computer and its 



1% operating system can provide address that security. It is desirable to make data 
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and programS^tored on a computer system available to authorized users with a 

f \ 
|o minimum of effort bH^nd delay to) an authorized user with minimum overhead to 
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the computer while preferably^denying access to the programs and data to those 
who are not authorized to use the data and programs (or at least delaying 
substantially and requiring much time anXtrouble). 



It is well known to have a "power-on" password on a computer system. Such a 
15 system allows an authorized user to identify himself as an authorized user by his 

entry of the power-on password, then access the data and the programs stored 
on the computer. 
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It is also well known, particularly in large computer systems and in 
networks, to have different levels of security provided by password control. That 
is, a first user (or group of users) might have one level of authorization to perform 
some functions with the computer or the network and to be denied performing 
other functions, with a second user (or group of users) with a higher authorization 
being permitted to perform those functions the first user was denied. For 
example, in a grocery store, a cashier may be able to process sales transactions 
but not "credit" transactions (or credit transactions above a threshold), which 
may require a manager's authorization). As a second example of differing levels 
of authorization, in a mainframe computer, the password of the system 
administrator must be employed to add a new user to the list of authorized users, 
a function which an authorized user would not be permitted to perform. 

But a personal computer might be subject to a variety of attacks, ranging 
from a physical attack (an attempt to get into the hardware by removing a cover 
or other enclosure) to repeated entry of different passwords to try to find the right 
password (a process which has been called "hammering" in the trade). 
Many of the present day personal computers have some form of security, 
perhaps a power-on password. These systems lack a log of the access attempts 
and the results thereof, allowing someone to try repeatedly different passwords 
until the valid password is determined. Some systems have a system which locks 
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up after several failures to enter the proper password, but these systems then 
allow the computer to be powered down and powered back up for repeated 
efforts to find the right password. This system of having to power the computer 
down and back up may slow down the process of breaking into the computer but 
it does not prevent it. 

Although it might be assumed that a personal computer bears a greater 
risk of security breaches at some times rather than others (for example, at night 
or on a weekend in an office environment, the security risk is greater because 
fewer people are present), the present security systems for personal computers 
do not take into account that the risk of security attempt differs by the day and 
time. 

The Operating System Patent discloses the functions of an operating 
system and suggests some limited forms of security for the personal computer. 
Other personal computers on the market include some forms of security, 
sometimes quite limited such as a key lock, while others rely on a power-on 
password. 

Accordingly, the current systems for providing computer security, 
particularly in a personal computer system, have undesirable limitations and 
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disadvantages. 




Summary of the Invention 

The present invention has the advantage that it is simple but effective 
method of providing improved security in a personal computer through the use of 
the operating system to control security modes in a personal computer. Different 
passwords for different authorization levels and improved security through the 
use of algorithms stored in the personal computer through the operating system 
provide increased levels of security while allowing the functions a permitted user 
enjoys to be performed with a minimum of overhead and trouble. 

Th^present invention also maintains a log of the attempt to access the 

personal computer-arid the results of those attempts, so that access may be 

\ 

terminated when a predetermined threshold of unsuccessful password attempts 
has been reached. The log can ^queried to determine whether suspicious 
patterns of activity have been encountered and, based on the log of successful 



password attempts, it may be able to determine whether the security of the 
personal; computer (particularly its data and programs) hafc^een breached. 



It is thus an object of the present invention to provide increased security 
for a personal computer. The present invention allows the operating system to 
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set up levels of security through the use of the operating system to provide 

various levels of authorization for any particular user of the computer. 

Other objects and advantages of the present invention will be apparent to those 

skilled in the relevant art in view of the following description of the preferred 

embodiment, taken together with the accompanying drawings and the appended 

claims. 

Brief Description of the Drawings 

Having thus described some of the objects and advantages of the present 
invention, others will be made apparent to those skilled in the art in view of the 
following drawings taken together with the description in which the present 
invention of an improved security system and method is shown in which: 

Fig.1 is a pictorial view of a personal computer environment of the present 
invention; 

Fig. 2 is a block diagram of certain components of the personal computer of Fig. 
1; 

Fig. 3 is a flow chart of the security system of the present invention; and 

Fig. 4 is an illustration of a security profile stored in the personal computer and 
useful in practicing aspects of the present invention. 
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Detailed Description of the Preferred Embodiment 

In the following description of the preferred embodiment, the best 
implementation of practicing the invention presently known to the inventors will 
be described with some particularity. However, this description is intended as a 
broad, general teaching of the concepts of the present invention in a specific 
embodiment but is not intended to be limiting the present invention to that as 
shown in this embodiment, especially since those skilled in the relevant art will 
recognize many variations and changes to the specific structure and operation 
shown and described with respect to these figures. It will also be recognized that 
some of the advantages of the present invention will be available through the use 
of certain features, but that other features may be omitted or changed without 
losing the benefits of the present invention. 

Before describing the preferred embodiment of the present invention in 
detail, it is advisable to provide definitions of certain terms which are useful in 
understanding the present invention: 



The S^stecnOwner is the user who us responsible for the configuring and 
placing the system in the s^cuced mode initially. The System Owner will control 
configuration both initially and whenevfer^n update needs to be made. The 
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System Owner will control the Security Password and be responsible for 
maintair^ its integrity. The System Owner will maintain physical security of a 
tamper^vident^ye^key lock. The System Owner will be responsible for 
maintaining security logfcvon all systems. The System Owner will also have to 
record all attempted security breaches. The System Owner may own more than 
one system. The System Owner is considered an authorized user and can also 
be considered a normal user. 



^ Software Security Owner is the administrator who is responsible for the 

J; 

!j| Software on a system. As many of the security features in the present system will 

?* 

iJb be controlled by the operating system, it is necessary to have a super-user 

administrator with the ability to control access to the software available to the 
system. The Software Security Owner must work with the System Owner, and, in 
many cases, will be the same as the System Owner. 
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Authorized User is any user who is given permission to use the Security 
Password. This may or may not be the System Owner. The Authorized User may 
have a key for a particular system or set of systems. If this person is responsible 
for recovering a system from a security breach, this person must report it to the 
System Owner. 

Normal User is a user who is permitted to use some of the features of the 
System. A Normal User may change the configuration of the system to a more 
secure state from a less secure state (such as permitting fewer access attempts 
before requiring the system to close down), but is not permitted to fix a problem 
or to make a system less secure from a more secure state (activities which 
require the System Owner or Network System Security Owner). The Normal User 
does not have the Security Password or the cover key and is not permitted to 
make configuration changes to the System. 

Unauthorized User is anyone who is not a System Owner, an Authorized 
User, a Network System Security Owner or an Authorized User for the particular 
system. Any use of the system by an Unauthorized User (other than an 
unsuccessful power-on password attempt) is considered a security breach and 
must be trackable. 
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Trusted Kernel is a software module which is assumed to be able to 
provide an operating system with appropriate levels of security preserved 
throughout its operation. That is, a normal user would be limited to performing 
the functions of a normal user but would not be able to assume the role of a 
Software Security Owner without authorization. Various forms of trusted kernels 
are in use in operating systems such as IBM's OS/400 operating system, 
Microsoft's Windows NT and various forms of UNIX operating system. 

Since the System Owner may set up the system to allow network access 
and remote administration of the security, the Network System Security Owner 
administers the security of the system remotely. This is less secure than having 
all the security of the system being done locally, but it may be sufficient security 
for some environments. 

Levels of Security are those levels of permission which have been 
established to control access to data and functions of a computer. The levels 
may be set to the preferences of the System Owner through the use of the 
software and the Trusted Kernel, but for illustrating the present invention, a 
system with 5 levels of security is useful for consideration. The highest level of 
security, Level 0, is the level at which the System Owner operates. The System 
Owner has access to the entire computer system, including its hardware and 
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software and the hardware security and can assign levels of security to others. 
He can turn on and off the Network System Security and assign authorized users 
and their level of security. Level 1 Security is that of the Network System 
Security, a privilege which includes all of the powers of Level 0 except that this 
person cannot establish his own privilege, although he can delete it. Level 2 
Security is the level at which the Software Security Owner operates with the 
ability to control users and passwords and assign system resources to various 
users. In Level 2 security also involves as much of the rights of the System 
Owner and the Network System Security as they choose to delegate. Level 3 
security is the level a Normal User operates at. His privilege is normally 
restricted to using those files and system resources that a super-user (one with a 
higher level of security) permits him to operate. Level 4 security is the lowest 
level of privilege and is essentially none. 

Tig^ 1 is a pictorial view of a personal computer 10 useful in practicing the 
present inventioh^The personal computer 10 includes a display 1 1 coupled to a 
system unit 12, with a l^yboard 14 attached to the system unit 12. Additionally 
shown in this Fig. 1 , although optional in fact, are a mouse 16 for user input and 
a printer 18 for providing printed output from the personal computer 10. Not 
shown in this Figure, but well known in the art, tfievpersonal computer 10 may be 
connected, either through some standard attachment or through a modem, to a 
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network and may include a variety of temporary and permanent memory and 

storage in the form of random access memory (RAM), read only memory (ROM) 

- vL- \ 

Qgyv and disk storage, either in the form of one or more hard drives or one or more 
drives with^movable media such as CD-ROM's and floppy diskettes. The data 
and programs stored on a personal computer have value to the other and to 
others who want to have%access to the data (and sometimes to a lesser extent, 



the programs), and it is to recfuce the likelihood of access to such programs and 
data that the present invention is addressed. The system unit 12 includes covers 
which surround the storage and processor, covers which may be secured against 



i M) tampering by a key lock and/or tamper indicating circuitry. 
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Fig. 2 is a block diagram of portions of the personal computer 10 shown in 
Fig. 1 and which forms the environment of the present invention. The personal 
computer 10 includes the keyboard 14 coupled to the system unit 12 which 
contains memory or storage 20. The memory 20 which may be composed of 
5 several different memory technologies, includes storage for an operating system 

22 which, in its preferred embodiment, includes a boot program 24 and a 
power-on-self-test program 26. Storage for a security profile 70 which is created, 
stored and updated as will be described later, particularly in connection with Fig. 
Jj 4 is stored in Flash memory along with BIOS and POST 26 and is locked when 

$0 BIOS and POST are not executing. The memory 20 also includes a log 28 listing 

3* the access attempts for the personal computer 1 0 and results of each access 

J * attempt so that the system can be audited and that a record of failed access 

attempts will indicate that the system has been under attack. 




A syfctem in its most secure state when access is only granted to a level 0 



15 person. It is irHtJeast secure state when access is granted to a level 4 person. 

\ 

\ 

Fig. 3 is a flow chart ilTostrating the process of the present invention. 
During the power-on-self-test, the security profile can be written and read as 
desired, but after POST is completed, a norrn&luser can only write ones into the 
security profile. Thus, the memory is all ones in its rrtost secure state and all 0's 



RP9-98-055 



# 



when it is in its least secure state. This has the advantage that, should power be 

lost to\he personal computer for long enough to drain the power, the system will 

i \ 

default to kNones or its most secure state. Of course, the security profile can be 
updated (e.g^t^y the System Owner) using his privilege password (e.g., the PAP 
or PA) to make the^ecurity profile less secure, if desired. Since some of the 
fields (such as the tam^per evident field) may be programmed to shut the personal 
computer down to normal^sers, it would be essential that there be a mechanism 
available to someone to reverse such fields, but this is a privilege of a super-user 
or system owner and not permitted "toa normal user. If a normal user attempted 
unsuccessfully to give himself the rights v of a System Owner, for example, or other 
privilege, he would like to erase the record of such attempts, while the System 
Owner would certainly wish to preserve the indication of such unauthorized 
activity. 



Fig. 4 illustrates a security profile of the type which is generated, stored 
and updated as a result of the improved security processes of the present 
invention. A security profile 70 includes a plurality of fields, each of which either 
indicates a level of authorization for the individual or a level of security risk. The 
security profile 70 is stored in the memory of the personal computer, and an 
authorized user is permitted to adjust the security profile to a more secure state 
from a less secure state, but only someone with the security password (e.g., the 
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System Owner or the Software System Owner) can adjust the security profile from 
a more secure state to a less secure state. That is, the operating system will 
allow the status of the configuration to be changed only if it is in a non-secure 
state or if the security password is entered. 

In the present system, it is envisioned that a more secure state will be 
assigned to a binary 1 and a less secure state will be assigned to a binary 0, and 
a field can be changed from 0 to 1 as a result of a user request. Obviously, the 
choice of which binary state represents greater security and which represents 
less security is one of design choice and not an integral part of this invention, 
although the choice of one as the more secure state does have an advantage 
which will be discussed elsewhere in this document. A Security Password, such 
as a Privilege Access Password (PAP) or an Administrator Password (AP), is 
required to change a 1 (a more secure state) into a less secure state 0 in the 
security profile 70 stored in the memory of the personal computer 10. 

The security profile 70 which is envisioned to include some six bytes in its 
preferred embodiment, but which can be expanded or contracted as appropriate 
for the situation) includes a first field of one bit which is a tamper evident field 72. 
This field requires the correct Privilege Access Password to reset. This field will 
be set if a physical security breach is detected, as in the opening of covers of the 
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system unit 12. It may also be set by an operating system API, by a tamper switch 
in the mechanical locking mechanism of the cover, or by either the presence or 
the absence of a signal, such as a radio signal. Such a signal might indicate that 
a personal computer has been improperly removed from a network. 

^Thesecond field 74 of the security profile 70 is a field which indicates the 
number of unsufcqessful attempts at entering the user password that would be 




permitted before the system is shut down. In this example, 000 would equal 7, 
001 would equal 6, , 010 woulafequal 5, 01 1 would equal 4, 100 would equal 3, 
101 would equal 2, 1 10 would equal 1 ahcjl 1 1 would equal 0. The user would be 
permitted to attempt the number of permitted unsuccessful attempts plus one, to 
allow for a successful attempt at the end. This field cbtild be set by an operating 
system API (for example, to take into account a greater security exposure during 
certain time periods, like late evening or on certain days, like weeKfeqds). 

A next field 76 of the security profile 70 is a level of access field. This 
could be used to determine if a user will be permitted to use functions like 
receiving data over IP. This could be used to indicate the level of data which 
could be received (like X,R,PG, etc.) or like military classifications of unclassified, 
confidential, secret, top secret, code word, etc. An end user could reduce the 
level of secure traffic which he can use, but not to increase it without the privilege 

RP9-98-055 16 



# # 

from the Security Password. 

Following the field 76 in the security profile 70 is a two bit field which 
would allow for network privileges for privilege or super-user privilege fields. 
These may be turned from 0 to 1 by either an operating system API (for weekend 
or after hours, for example), or because too many unsuccessful attempts had 
been made). 

Field 78 allows five bits for expansion of the security and authorization 
system to include additional function or privilege to be added at a later date. 
Field 80 is bit 17 and is used to signal that a following four bits refer to a memory 
location where extension fields will be located. 

Of course, many modifications of the present invention will be apparent to 
those skilled in the relevant art in view of the foregoing description of the 
preferred embodiment, taken together with the accompanying drawings. For 
example, the content and positioning of data within a security profile are arbitrary 
and subject to change if desired. The algorithms and rationale as well as the 
security indicators described in connection with assessing the security risk of the 
system and the levels of security can be adjusted to suit the perceived risk to the 
System Owner. Additionally, the "1" and "0" of the security profile could be 
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reverse without departing from the spirit of the present invention. Further, it is 
possible to derive some of the benefits of the present invention through the 
selective use of features of the present security system without the corresponding 
use of other features. Accordingly, the foregoing description of the preferred 
embodiment should be considered as merely illustrative of the principles of the 
present invention and not in limitation thereof. 
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